Our merchants use the industry standard of 128-bit SSL to encrypt your data, particularly the ones related to online credit card processing. How secure is the encryption used by SSL?

SSL uses public-key encryption to exchange a session key between the client and server; this session key is used to encrypt the http transaction (both request and response). Each transaction uses a different session key so that if someone manages to decrypt a transaction, that does not mean that they've found the server's secret key; if they want to decrypt another transaction, they'll need to spend as much time and effort on the second transaction as they did on the first. Netscape servers and browsers do encryption using either a 128-bit secret key. Many people feel that the old 40-bit key is insecure because it's vulnerable to a "brute force" attack (trying each of the 2^40 possible keys until you find the one that decrypts the message). Using a 128-bit key eliminates this problem because there are 2^128 instead of 2^40 possible keys. To crack a message encrypted with such a key by brute force would take significantly longer than the age of the universe using conventional technology.

In Netscape, a solid key in the lower left-hand corner of the Netscape window with three teeth means 128-bit encryption, a solid key with two teeth means 40-bit encryption, and a broken key means no encryption.

In Microsoft Internet Explorer, a solid padlock will appear on the bottom right of the screen when encryption is in use. To determine whether 40-bit or 128-bit encryption is in effect, open the document information page using File->Properties. This will indicate whether "weak" or "strong" encryption is in use.

In short, as long as your data are encrypted, preferably by 128-bit, you will be ok. Actually, there is a much greater risk of credit card fraud when you give your card to any waiter or sales person!